[00:40.530 --> 00:46.570]  All right, let's see what we can do here. So we're gonna
[00:48.470 --> 00:57.650]  crack RokU without using RokU. So all I did was took the RokU dictionary,
[00:58.210 --> 01:06.450]  piped it through MD5, so we have a big-ass list of MD5 hashes now, and let's see what we can do.
[02:27.520 --> 02:33.940]  Looks like we lost a few hashes in the conversion, but I think we'll be all right.
[02:43.320 --> 02:47.360]  All right, so most basic, let's do a hashcat
[02:54.890 --> 03:00.730]  RokU.hash. We'll do tach E3 and let's just do
[03:03.230 --> 03:08.470]  five character. So this will do
[03:10.310 --> 03:15.630]  all character classes for five positions, but we're going to start doing one,
[03:15.630 --> 03:19.710]  and then we'll do two, and then we'll do three, then we'll do four, then we'll do five. So that's
[03:19.710 --> 04:20.540]  what this increment flag does. So that is one, two, three, four, five. I think we're doing okay.
[04:44.690 --> 05:04.480]  All right, almost 300,000 in 27 seconds. Why not? So let's try...
[05:07.080 --> 05:19.340]  We need to grab... We don't have anything. We can't do a wiki strip, that would take too long.
[05:23.580 --> 05:30.500]  Let's see if we can find a dictionary. Something small.
[05:33.760 --> 05:43.220]  Let's try, like, all words of 10 letters, and we want that in a text file.
[06:14.010 --> 06:35.860]  Can't I just have a dictionary? We have...
[06:53.070 --> 07:01.890]  Oh yeah, good point. We could use ASPEL, that's true. Let's grab wiki strip because we can use it
[07:03.290 --> 08:26.640]  regardless. And then, do we have ASPEL? Where do ASPEL's dicts go? There we go.
[08:27.000 --> 08:30.820]  So I'm guessing we could probably use the
[08:33.340 --> 09:38.810]  ENUS. Let's do that one. Yeah, maybe that's not a good one. Maybe without accents?
[09:40.270 --> 09:43.970]  I don't think that one's even gonna... That one's gonna matter.
[09:46.190 --> 09:48.110]  Let's instead... Let's go grab...
[10:03.470 --> 10:09.290]  There we go. Let's grab this one.
[10:20.090 --> 10:24.390]  Some random list of words off of GitHub, this ought to be interesting.
[10:28.260 --> 10:38.260]  So we're gonna do rocku.hash, and then feed it words.txt, and let's see what we get.
[10:39.040 --> 10:41.300]  Actually, let's look at what these even look like.
[10:46.800 --> 10:49.300]  Yeah, this'll work.
[11:20.690 --> 11:26.090]  Okay, actually, it wasn't terrible, so that's good. Let's try doing...
[11:27.910 --> 11:32.730]  Let's do an A6 and see what we get. And we'll just add...
[11:34.110 --> 11:38.370]  Let's just add two digits. No, let's just add... Yeah, let's do two digits,
[11:38.370 --> 11:46.370]  and then let's also increment. So we exhaust both of those. Oops, that's gonna fail.
[11:46.370 --> 12:44.810]  But yeah, I mean, I guess that works.
[12:48.370 --> 12:51.530]  We got 2% just off of that. All right, all right.
[12:54.320 --> 13:01.680]  What if we do... If we already incremented two spaces, let's not run that again. Let's do...
[13:05.240 --> 13:10.020]  Well, let's just do like... What year did this come out? 2009, right? So let's do 2008.
[13:32.930 --> 13:37.290]  Oh, we're gonna have to trim this hash file too, because these load times are a bit ridiculous.
[13:54.200 --> 14:01.920]  All right, so not a whole lot of 2008 passwords. Let's... We're gonna add remove.
[14:04.000 --> 14:07.300]  And we're also gonna do an out file. We don't need to do an out file,
[14:07.300 --> 14:09.800]  because we can do a pop file. So what this is gonna do is...
[14:09.800 --> 14:15.600]  So we're gonna take all these words that are in words.txt. We're gonna add 2009 to it.
[14:15.600 --> 14:24.760]  Actually, let's just do... Let's do 2000 digit, digit. So that should cover everything from 0,
[14:24.760 --> 14:29.680]  0 to 99. And then we're gonna remove everything that we cracked, because it's gonna go in our
[14:29.680 --> 14:33.320]  pop file anyway. And then after that, we'll roll our pop file back and we'll try some
[14:34.320 --> 15:26.950]  rule-based attacks. So we've only got 13,700,000 more hashes to crack. Not a lot.
[15:27.910 --> 15:38.270]  Let's do a cut-d, attack-f2-on from hashcat.popfile. And we're gonna put that to
[15:41.110 --> 15:54.720]  pop.dict. And then let's roll... Instead of doing an A6, let's just do generated rules.
[15:57.680 --> 16:01.120]  And let's do like... Let's do like 5,000 of them.
[16:11.180 --> 16:14.300]  We'll move that removed so we don't have to keep doing it every time we want to change a command
[16:14.300 --> 16:52.420]  line or a run line. Probably should have suppressed output. This is... Get hit status,
[16:52.420 --> 18:04.800]  but we're not gonna see anything. We're up over a million now. So that...
[18:04.800 --> 18:11.980]  That got us almost 11%. No, 8... 9%. Almost 9%. It's pretty good.
[18:13.620 --> 18:18.680]  And the great thing is, is that if we do that again, we're gonna get a bunch more. But this
[18:18.680 --> 18:26.960]  time we're gonna write this... We'll start writing this out to a file so we don't slow down at all.
[18:28.400 --> 18:42.850]  w... We'll call this rocku.out. It's not w, it's tacho.
[18:57.640 --> 19:02.940]  This load time's a little bit ridiculous. I think we'll manage. Let's just see what
[19:02.940 --> 19:12.660]  our GPU is doing as well. So down here we'll do like a watchtech n5 nvidia smi.
[19:30.970 --> 19:34.850]  So even for md5, because there's so many hashes, we're still only going at
[19:34.950 --> 19:43.350]  what's that? 118... 118 million candidates per second, which is a little bit sad, but you know.
[19:47.150 --> 19:55.150]  So we got 278,000 on that one, or 288,000. So if we do it again,
[19:55.150 --> 19:58.670]  we'll get even more. So you just sit here and you loop this attack.
[20:15.240 --> 20:19.580]  I think after this one we'll just do maybe just an uppercase. I don't know. If you have...
[20:19.580 --> 20:22.840]  If you have an idea, tell me what you want to try in the chat,
[20:22.840 --> 20:58.480]  and we'll give it a shot and see how many you get. All right, so let's try...
[21:01.520 --> 21:04.360]  Let's try just uppercasing everything.
[21:41.550 --> 21:46.730]  Wow, we got nothing. Probably because we already had an uppercase in our generated rules.
[21:48.430 --> 21:59.320]  What else can we do? We could try doing some truncates. Let's actually do this.
[21:59.340 --> 22:05.120]  No, no, we'll just do the truncate first. So we'll just take one character off the
[22:05.980 --> 22:11.080]  right side of the plain text and see what happens.
[22:12.600 --> 22:15.340]  Normally this is really good if you have a word list that already has
[22:19.640 --> 22:25.480]  years on the end of it. So if you've already cracked hashes and somebody's using password
[22:25.480 --> 22:32.040]  2019 and then they use password 2020, you trim one to two positions off and then you fill that
[22:32.040 --> 22:38.780]  with digits and get back to it. All right, so let's roll our cracks, because I forgot to do
[22:38.780 --> 23:12.700]  this. We'll roll our cracks back into our word list. I already forgot what I called it. Pot.dict.
[23:17.740 --> 23:22.860]  And then because we started writing an out file, we're going to do the same thing for the out file.
[23:22.860 --> 23:25.780]  Well, actually we don't need to do that.
[23:34.160 --> 24:23.020]  Yeah, we don't need to do that. All right, so we're going to take from the left side,
[24:23.020 --> 24:26.520]  or sorry, from the right side, using tack k, we're going to truncate the first two positions
[24:27.480 --> 24:34.060]  of the word that's in pot.dict. And then we're going to try and run everything
[24:34.740 --> 25:24.000]  for two positions and see what we get. Yep, that'll do it.
[26:43.310 --> 27:09.120]  It was actually getting a lot more than I expected it would. All right, so we're, what,
[27:10.940 --> 27:22.110]  10.48% in. We've only got a lot more to go. All right, so if we truncated two,
[27:22.110 --> 27:27.550]  and it did really well, let's truncate three, but instead of adding something,
[27:27.550 --> 27:35.290]  just keep it with the same two positions and see if maybe we can catch some stuff that doesn't have
[27:35.290 --> 27:42.990]  that. This is a little brute force-y without actually doing a mask attack, but I mean,
[27:42.990 --> 27:48.570]  it still kind of makes sense. If somebody prepended, for instance, numbers to a password,
[27:48.570 --> 27:54.950]  if they start with their birth year or something at the beginning, we can strip those off and then
[27:54.950 --> 28:24.750]  start replacing the first digit or the first character that comes after that. Yeah, see that?
[28:25.210 --> 28:53.050]  We're still getting stuff. So one thing I keep seeing in here is there are a lot of passwords
[28:53.050 --> 28:59.810]  that are just digits. So this would be, to me, tells me that I need to go and brute force all
[28:59.810 --> 29:09.990]  of these, what is that, six, seven characters of digits. So after this one finishes, we'll see
[29:09.990 --> 29:27.850]  if we can do that, because seven digits will be pretty quick. I mean, technically, we could
[29:27.850 --> 29:33.970]  probably even go out to 12, but I don't know. We'll see what the runtime looks like.
[30:02.120 --> 30:05.580]  All right, so we're going to strip all this stuff off, and then we're just going to say
[30:06.540 --> 30:11.640]  A3, and we only want digits for, we'll say up to eight.
[30:14.730 --> 30:18.290]  And because there were ones that were less than eight, we're going to increment this as well.
[30:20.690 --> 30:25.290]  So we'll try one digit, then two digits, then three digits, then four digits.
[31:14.050 --> 31:19.970]  All right, so that was pretty quick, and that got us, what, almost seven percent.
[31:19.970 --> 31:24.950]  All right, so let's get rid of this increment, and let's do one more.
[31:27.170 --> 31:32.130]  Actually, who cares? Let's just go until it's going to take too long.
[31:35.960 --> 31:39.480]  So we're going to waste a little bit of time going over the things we already went over,
[31:39.480 --> 31:43.560]  but it was fast enough that it shouldn't really matter too much.
[31:48.930 --> 31:51.290]  I'm really going to keep getting faster as we keep cracking
[31:52.330 --> 31:55.530]  hashes, because it's less workload to do comparisons against.
[32:05.660 --> 32:11.360]  So what we should also see down here is our GPU memory is going to spike once the attack gets
[32:11.360 --> 32:17.800]  going, because we've got all that stuff loaded into the video card's memory.
[32:47.440 --> 32:54.440]  This is kind of a good example of why Rocky was bad in some ways. Like, it's good, but you could
[32:54.440 --> 32:59.480]  trim all of this crap out, because it's going to be rare that you're ever going to see a password
[32:59.480 --> 33:08.120]  that looks like this in a dump today or during a pen test or something. Like, if companies had
[33:08.120 --> 35:02.220]  passwords that look like this, their building's probably on fire. Oh, 24% almost? I'll take it.
[35:16.060 --> 35:19.360]  But this also means 24% of this dictionary is crap.
[36:20.230 --> 36:24.610]  Right? So we're at... let's see what percent we're at so far.
[36:34.640 --> 36:37.000]  So we're at almost 24%...
[36:40.690 --> 36:54.590]  Sorry, almost 25%. Well, that's what? 14 divided by 4 is math?
[37:01.230 --> 37:08.310]  So what these probably are are spammer passwords, though, or automated accounts. So in a lot of ways,
[37:08.310 --> 37:15.110]  you know, like Twitter, for instance, or something... Reddit would be a good one. When you're
[37:15.910 --> 37:21.570]  doing automated account stuff, you don't really care about the security of the account if all
[37:21.570 --> 37:25.970]  you're going to do is sit there and upvote each other or, you know, do retweets or, you know,
[37:25.970 --> 37:33.490]  maybe it's a Twitch bot or something like that. So these are likely... I don't know much about
[37:33.490 --> 38:15.150]  the site other than the dictionary. I mean, it could be telephone numbers, but a five-digit
[38:15.150 --> 38:33.040]  telephone number, like we did have a lot of fives. Six, even. Yep, that's true.
[38:34.800 --> 38:42.030]  Asian countries where sometimes a sentence can be said in a string of numbers, sure.
[39:01.060 --> 39:04.840]  I kind of want it to stop cracking so we can do something else.
[39:06.720 --> 39:55.660]  But you know what? I'm gonna take them. What if... let's do... let's make a word list.
[40:01.730 --> 40:18.670]  We'll just use cool again. That's easy. Don't tell DT. I'm gonna scrape Defcon.org.
[40:55.070 --> 40:59.150]  So what are we doing? This is only... so this is only 12. Oh, this is gonna take 30 minutes.
[40:59.150 --> 41:14.990]  I don't want to wait 30 minutes. We're only doing the default, so it's only gonna go
[41:16.490 --> 41:20.350]  too deep. It won't spider too recursively.
[41:38.720 --> 41:42.300]  All right, screw that. I'm tired of waiting. 31 minutes to finish. I don't want to sit around
[41:42.300 --> 41:47.820]  for 31 minutes. Okay, but we're at 25%, so that's pretty good. What else can we do?
[41:49.660 --> 41:53.400]  What if... oh, let's do the Pathwell masks.
[42:04.140 --> 42:13.240]  And if you're not familiar with what the Pathwell masks are, we will discuss those tomorrow.
[42:19.520 --> 42:27.260]  So this is the top 100 topologies that were observed in corporate networks.
[42:52.190 --> 42:55.890]  Since we have a bunch of them, we'll just do this in a loop.
[42:59.090 --> 43:49.130]  Yep, yep, A3 in the mask. And then we'll call it done. Come on, you can do it.
[43:50.590 --> 43:55.170]  Okay. Looks like a pretty good result.
[44:20.360 --> 44:28.440]  So this is all going to be the same structure. So you see we've got one upper. What's that? One,
[44:28.440 --> 44:38.980]  two, three, four, five lowers and two digits. So that would be numbers. Six, eight characters.
[44:39.280 --> 44:43.780]  So we're cracking eight character passwords in... what's our runtime?
[44:46.400 --> 44:51.340]  Less than a minute. And the entire attack is going to complete in about a minute.
[45:10.660 --> 45:13.580]  Oh, we're actually over 25% because we're missing...
[45:14.420 --> 45:23.220]  what? 200 and... yeah, about 200,000 hashes out of this. Or no, we're missing like 3 million.
[45:23.240 --> 45:29.480]  So we're way over 25% at this point. And we're only 40-45 minutes in.
[45:42.410 --> 45:45.910]  So let's actually even... let's take pack.
[45:53.690 --> 45:58.350]  And we'll run pack against our cracks and generate some rules and then run some rules
[45:58.350 --> 46:27.880]  against our cracks and see what happens. Let's actually pause this for a second.
[46:49.740 --> 46:55.860]  And what do we call this? pot.dict, I think. Yeah.
[46:57.820 --> 47:01.500]  And we're going to sort this thing before we do this anyway. So let's do...
[47:01.500 --> 47:08.880]  what was that out file? It's like... no, it wasn't hashcut, it was rocku.out.
[47:08.880 --> 47:19.820]  We'll put those in there. And then we will do a sort techu.pot.dict to pot.sorted.
[47:22.720 --> 47:30.960]  And then we'll move pot.sorted to pot.dict.
[47:33.800 --> 47:36.180]  Such a lewd file name.
[47:39.090 --> 47:46.550]  Okay. So let's go... we'll let this keep going. So we will resume this with R.
[47:50.560 --> 47:56.290]  And then let's do... let's do mask... no, we don't want maskgen, we want rulegen.
[47:58.640 --> 48:04.660]  So... uh-oh. I don't think pack is Python 3.
[48:08.140 --> 48:13.240]  That doesn't look like it to me. We'll try it.
[48:15.540 --> 48:17.740]  Yeah, I didn't think so. Okay.
[48:17.740 --> 48:18.120]  So we're going to do...
[48:20.940 --> 48:24.420]  app.cache.search.python2.
[49:00.720 --> 49:03.140]  No module named enchant.
[49:03.800 --> 49:10.500]  So probably the pip to install enchant.
[49:18.680 --> 49:21.100]  We don't even have pip.
[49:24.070 --> 49:25.830]  Oh no.
[49:26.370 --> 49:28.470]  It's all going to hell.
[49:35.800 --> 49:37.160]  What?
[49:49.810 --> 49:54.390]  Python 2 doesn't have... that was pip.whl.
[49:54.730 --> 49:56.510]  No, let's do it.
[50:08.010 --> 50:10.050]  Yeah, it ain't there, man.
[50:11.030 --> 50:19.890]  app.install.python.tack.pip.
[50:31.790 --> 50:36.110]  We need to summon ifelix to port pack to Python 3.
[52:04.540 --> 52:06.700]  What provides enchant now?
[52:25.160 --> 52:27.840]  Python 3 enchant? No, Python 2 enchant.
[52:27.840 --> 52:29.660]  What happens if we do that?
[52:52.620 --> 52:54.340]  Oh, it's pyenchant.
[52:55.480 --> 52:57.160]  Let me smart.
[53:09.510 --> 53:11.080]  Enchant C library.
[53:11.490 --> 53:12.630]  Okay.
[53:21.480 --> 53:24.320]  lib enchant dove.
[53:35.350 --> 53:42.690]  Yeah, it kind of looks like they may have pulled it, but we're working around it.
[53:45.170 --> 53:46.650]  Where are we at?
[53:50.400 --> 53:52.980]  Going slowly, but we're still going.
[53:52.980 --> 53:53.480]  Okay.
[54:04.010 --> 54:06.170]  Okay, we did it.
[54:07.990 --> 54:09.010]  All right.
[54:09.390 --> 54:23.950]  So we want to run statsgen on our dictionary.
[54:26.170 --> 54:28.530]  So that was pot.dict.
[54:28.950 --> 54:30.810]  We'll let it do its thing.
[54:57.020 --> 54:59.020]  All right, so we've got...
[54:59.020 --> 55:00.560]  So these aren't going to help us too much.
[55:00.560 --> 55:01.660]  I mean, they might...
[55:01.660 --> 55:07.460]  We could probably run these and get something out of them, but we're kind of unlikely to.
[55:10.620 --> 55:15.560]  But that's a good example of extracting masks out of dumps that you...
[55:15.560 --> 55:17.480]  Or not dumps, but cracks that you've done.
[55:17.480 --> 55:22.880]  So we could take these right here and put them in a new file and then start running them.
[55:26.080 --> 55:31.600]  But what I want to do is...
[55:33.400 --> 55:34.820]  Do we have our analysis?
[55:35.780 --> 55:37.120]  No, we don't.
[55:39.600 --> 55:41.400]  Why do we not have our analysis?
[55:44.590 --> 55:45.990]  No, because we didn't output them.
[55:45.990 --> 55:46.770]  That's why.
[55:53.320 --> 55:55.280]  So let's write that to masks.out.
[56:18.610 --> 56:20.910]  All right, and then we'll feed that into maskgen.
[56:33.830 --> 56:36.070]  I wonder what the math he based.
[56:36.070 --> 56:40.290]  So that's on a billion per second.
[56:41.770 --> 56:43.370]  I don't think we're going to be able to...
[56:44.750 --> 56:47.650]  I don't think we're going to be able to cover that in this stream.
[56:52.040 --> 56:53.700]  Let's do rulegen though.
[56:55.560 --> 56:58.020]  And we'll just generate some rules.
[57:06.320 --> 57:07.580]  Excuse me?
[57:38.030 --> 57:42.010]  So how does that work for maskgen, but not for rulegen?
[57:42.170 --> 57:46.190]  Or was it statsgen that failed before?
[57:46.190 --> 57:47.990]  I don't even remember anymore.
[58:30.210 --> 58:32.890]  I guess I just forgot to redo it.
[58:33.790 --> 58:38.790]  Okay, so let's take a look at our options here.
[58:38.790 --> 58:41.230]  We can make that a little bit smaller.
[58:46.810 --> 58:49.710]  Take the defaults on everything.
[59:36.880 --> 59:38.460]  We're going through pack.
[59:39.320 --> 59:40.480]  Generating some rules.
[59:40.480 --> 59:45.540]  We've cracked about, I want to say, close to 30% of Rocky right now
[59:45.540 --> 59:53.460]  using nothing but masks, rules, and passwords that we've cracked from those.
[01:00:02.820 --> 01:00:06.520]  Pack's going to take its sweet time because, you know...
[01:00:51.560 --> 01:00:56.200]  So pack needs to run through about four and a half million candidates.
[01:00:56.200 --> 01:00:57.840]  So this is going to take a little bit.
[01:00:57.880 --> 01:01:00.780]  So we'll let that run down there and we'll let our path while masks keep running.
[01:01:09.820 --> 01:01:11.740]  The old Minga special.
[01:01:12.080 --> 01:01:16.900]  You know, this card has like 13 gig of video memory.
[01:01:16.900 --> 01:01:18.280]  We'd probably be fine.
[01:01:19.920 --> 01:01:21.000]  Let's do it.
[01:01:21.000 --> 01:01:22.020]  I ain't scared.
[01:01:49.690 --> 01:01:51.150]  Right, yeah.
[01:01:57.410 --> 01:01:59.930]  That dictionary just grew massively for pack.
[01:01:59.930 --> 01:02:02.110]  So, oh well, it'll get over it.
[01:02:22.460 --> 01:02:23.360]  Okay.
[01:02:26.300 --> 01:02:34.470]  So we're gonna do rocky.hash.
[01:02:34.490 --> 01:02:35.570]  What'd you want?
[01:02:35.570 --> 01:02:38.230]  You wanted the pot.dict.
[01:02:40.350 --> 01:02:44.090]  One, two, three, four, five, six.
[01:02:44.090 --> 01:02:45.650]  All right, here we go.
[01:03:06.500 --> 01:03:10.300]  So we're auto-generating just shy of a million rules.
[01:03:10.300 --> 01:03:13.740]  And we're going to run that against every...
[01:03:17.600 --> 01:03:18.260]  What?
[01:03:18.840 --> 01:03:19.840]  Because.
[01:03:20.120 --> 01:03:21.640]  Because I don't want to.
[01:03:32.050 --> 01:03:33.310]  What if there's...
[01:03:33.310 --> 01:03:38.550]  What if there is a 65 character password in here?
[01:03:40.820 --> 01:03:42.240]  I want it.
[01:03:42.260 --> 01:03:44.340]  And I'm not going to get that with taco.
[01:03:50.940 --> 01:03:52.540]  Why no w4?
[01:03:52.540 --> 01:03:55.360]  Yeah, that's a good question.
[01:03:56.180 --> 01:03:57.860]  Because I'm trying to run pack.
[01:03:57.860 --> 01:03:58.840]  That's why.
[01:04:00.620 --> 01:04:03.660]  I would like this box to actually remain accessible.
[01:04:04.700 --> 01:04:05.580]  I don't...
[01:04:05.580 --> 01:04:06.360]  You know what, dude?
[01:04:06.360 --> 01:04:09.280]  My armpits smell like free birds right now.
[01:04:09.280 --> 01:04:10.340]  It smells delicious.
[01:04:16.820 --> 01:04:18.640]  Nope, that's too close.
[01:04:18.640 --> 01:04:21.140]  Oh, well, you're throwing prints in there.
[01:04:23.340 --> 01:04:25.100]  That's a little close to cheating.
[01:04:25.100 --> 01:04:25.960]  We don't want to use...
[01:04:25.960 --> 01:04:29.720]  We don't want to use rocky.hash to crack rocky.hash.
[01:04:29.720 --> 01:04:31.940]  That kind of defeats the purpose.
[01:04:42.320 --> 01:04:43.280]  If we did that...
[01:04:45.300 --> 01:04:47.540]  Imagine Rocky just came out, right?
[01:04:47.540 --> 01:04:51.880]  Like we're all we're all fawning over the fact that we have 14.3 million hashes
[01:04:51.880 --> 01:04:53.300]  and we want to crack them.
[01:04:53.520 --> 01:04:54.600]  We wouldn't have that.
[01:04:54.600 --> 01:04:56.860]  We wouldn't know what rules Rocky was using.
[01:04:56.860 --> 01:04:58.400]  It's totally unfair.
[01:05:01.170 --> 01:05:04.230]  It's like walking in to do a pen test with a domain admin account
[01:05:04.230 --> 01:05:06.750]  and then claiming you own the entire network.
[01:05:06.750 --> 01:05:07.810]  Get out of here.
[01:05:25.570 --> 01:05:26.690]  Almost at 20...
[01:05:26.690 --> 01:05:28.030]  Almost at 25.
[01:05:28.990 --> 01:05:30.150]  We can do it.
[01:05:36.100 --> 01:05:37.640]  Do you put on your Bon Jovi?
[01:05:37.640 --> 01:05:38.460]  Let's go.
[01:06:03.670 --> 01:06:06.410]  It probably would have been smarter to write the cracks to a file.
[01:06:06.410 --> 01:06:07.930]  So this would go a little bit quicker.
[01:06:07.930 --> 01:06:10.670]  But it's also a little less interesting
[01:06:10.670 --> 01:06:14.370]  because then you just sit there and look at a status screen updating every 20 seconds.
[01:06:39.380 --> 01:06:42.680]  See, but this looks like it could actually be an interesting mask to run.
[01:06:44.960 --> 01:06:47.200]  So we've got a big string of these.
[01:06:50.880 --> 01:06:52.260]  There's some with E.
[01:06:52.260 --> 01:06:57.620]  Let's try doing a lower in six digits.
[01:07:04.540 --> 01:07:06.180]  So we'll do A3.
[01:07:06.180 --> 01:07:10.660]  We're going to do lower 2, 3, 4, 5, 6.
[01:07:10.660 --> 01:07:20.480]  And then just in case there's some that are maybe five, we'll do increment.
[01:07:20.520 --> 01:07:22.680]  And we're actually going to write these to
[01:07:26.700 --> 01:07:30.360]  rocky.out, because this should run fast enough, it won't matter.
[01:08:02.260 --> 01:08:03.140]  Better?
[01:08:29.810 --> 01:08:32.430]  All right, so 25, 21.
[01:08:33.970 --> 01:08:35.750]  So we're definitely getting cracks.
[01:08:35.750 --> 01:08:43.990]  So we started at 25.07, so we got, what, 14 or 0.14% out of that.
[01:08:44.790 --> 01:08:46.830]  That's not as good as I thought it would be.
[01:08:47.050 --> 01:08:48.490]  This is more... this one was more fun.
[01:08:48.490 --> 01:08:51.530]  Actually, let's not even do that yet.
[01:08:53.630 --> 01:08:55.770]  Let's roll our cracks back in.
[01:09:01.900 --> 01:09:04.540]  And this is pot.dict.
[01:09:11.740 --> 01:09:13.360]  I'm going to sort u.
[01:10:36.880 --> 01:10:39.080]  Did that just say it's close to the end?
[01:11:46.710 --> 01:11:49.690]  We need to roll the old hashes back in too, though.
[01:14:45.830 --> 01:14:47.330]  Dude, is this going to finish?
[01:14:48.870 --> 01:14:50.350]  In nine hours?
[01:14:50.590 --> 01:14:51.970]  Oh my god.
[01:14:55.520 --> 01:14:57.180]  Ain't nobody got time for that.
[01:15:00.900 --> 01:15:02.740]  Once pack's done, we'll...
[01:15:02.740 --> 01:15:03.460]  Actually, you know what?
[01:15:03.460 --> 01:15:05.100]  If I kill this pack, we'll go faster.
[01:15:05.100 --> 01:15:09.600]  So we'll let pack do its thing, and then we'll run the pack rules.
[01:15:34.000 --> 01:15:34.900]  Now, you know what?
[01:15:34.900 --> 01:15:37.780]  I want to run...
[01:15:38.220 --> 01:15:39.020]  What was that?
[01:15:39.020 --> 01:15:41.380]  Lower, one, two, three.
[01:15:41.580 --> 01:15:42.560]  We already do this?
[01:15:44.760 --> 01:15:45.980]  I think we did.
[01:15:46.300 --> 01:15:48.240]  Let's do the opposite of that.
[01:15:48.240 --> 01:15:52.360]  So we've got this one, which seems to be doing a thing.
[01:15:52.980 --> 01:15:56.660]  One, two, three, four, five, six, lower.
[01:15:57.020 --> 01:16:00.640]  One, two, three, four, five, six, lower.
[01:17:15.900 --> 01:17:16.640]  Uh-oh.
[01:17:16.640 --> 01:17:17.700]  Did we break it?
[01:17:37.090 --> 01:17:38.550]  I think it's broken.
[01:17:55.520 --> 01:18:02.640]  We ran out of memory because pack is trying to do four million rules.
[01:18:04.020 --> 01:18:04.720]  Yeah.
[01:18:09.000 --> 01:18:10.900]  I need a sad trombone.
[01:18:25.070 --> 01:18:26.710]  Should've let pack finish.
[01:18:27.610 --> 01:18:28.690]  Oh shit.
[01:18:48.260 --> 01:18:50.260]  Well, we didn't do too bad before we crashed.
[01:18:50.260 --> 01:18:51.100]  I mean, I can't even...
[01:18:51.100 --> 01:18:52.260]  I can't even scroll.
[01:18:52.260 --> 01:18:52.940]  Like, this thing is...
[01:18:54.100 --> 01:18:55.440]  This thing is toast.
[01:18:58.700 --> 01:18:59.420]  So we did...
[01:19:00.900 --> 01:19:02.160]  What do we have here?
[01:19:03.620 --> 01:19:05.700]  2.9, so we're at three million there.
[01:19:05.700 --> 01:19:09.220]  And then we trimmed out about three million.
[01:19:09.220 --> 01:19:09.860]  So we cracked about...
[01:19:12.600 --> 01:19:16.260]  Well, I guess that would be almost 50% then, right?
[01:19:17.240 --> 01:19:20.440]  So we've cracked half of Rock You in an hour and 19 minutes
[01:19:21.540 --> 01:19:25.900]  using nothing but masks and a couple word lists.
[01:19:25.900 --> 01:19:28.820]  I think we used the English dictionary.
[01:19:29.100 --> 01:19:31.900]  Got a bunch of stuff with some hybrid attacks.
[01:19:34.560 --> 01:19:37.080]  Did some mask attacks with digits.
[01:19:38.160 --> 01:19:41.460]  Because for whatever reason, Rock You has a million digit passwords.
[01:20:31.480 --> 01:20:33.380]  No, this is it.
[01:20:34.100 --> 01:20:34.800]  You have to...
[01:20:35.860 --> 01:20:37.420]  Britney Spears forum.
[01:20:44.110 --> 01:20:45.950]  Oh shit, we're back.
[01:20:49.960 --> 01:20:51.300]  Pack did its thing.
[01:21:01.180 --> 01:21:02.640]  Really inopportune time, too.
[01:21:02.640 --> 01:21:04.220]  I just shoved food in my mouth.
[01:21:07.380 --> 01:21:10.220]  All right, so pack went and took a look at
[01:21:10.220 --> 01:21:12.660]  all the words that we had in our word list.
[01:21:12.660 --> 01:21:16.620]  And I built a rule set out of that.
[01:21:17.960 --> 01:21:19.560]  And then it sorted that rule set.
[01:21:19.560 --> 01:21:21.400]  So we can take this analysisSorted.rule
[01:21:22.400 --> 01:21:24.150]  and feed this in on our...
[01:21:28.440 --> 01:21:30.700]  feed this in using our pot.dict.
[01:21:31.300 --> 01:21:33.320]  We should get a shit ton of cracks.
[01:21:33.540 --> 01:21:34.620]  Let's see what happens.
[01:21:45.220 --> 01:23:17.760]  pot.dict techr pack analysisSorted rule.
[01:23:18.340 --> 01:23:21.180]  No, and we don't have to cover those because
[01:23:22.240 --> 01:23:24.640]  hashcat defaults to MD5 as it's...
[01:23:26.540 --> 01:23:29.060]  It defaults to MD5 as the hash type.
[01:23:29.060 --> 01:23:31.580]  And since we're running MD5s, we don't need to worry about it.
[01:23:31.580 --> 01:23:34.160]  And because we're still doing dictionary attacks,
[01:23:34.160 --> 01:23:36.140]  we don't need to specify A because
[01:23:36.800 --> 01:23:39.480]  the default value is to do a dictionary attack.
[01:23:39.800 --> 01:23:44.440]  So adding rules to a dictionary is still a dictionary attack.
[01:23:45.640 --> 01:23:47.620]  It's just mangled by rules.
[01:24:01.600 --> 01:24:04.380]  I mean, at this point, we might just crack everything.
[01:24:49.430 --> 01:24:52.090]  I think I just saw my password fly by too.
[01:24:56.750 --> 01:24:59.190]  The hell's with the 727s?
[01:25:00.950 --> 01:25:03.050]  A bunch of Boeing fans at Rocky.
[01:25:51.280 --> 01:25:52.820]  Yeah, I saw that.
[01:26:33.680 --> 01:26:34.960]  I think so.
[01:26:38.020 --> 01:26:39.240]  Let's do it.
[01:26:53.410 --> 01:26:56.730]  And if only that were the case.
[01:26:57.650 --> 01:27:00.370]  All right, so password.dict.
[01:27:00.370 --> 01:27:03.010]  And then we're going to run...
[01:27:04.030 --> 01:27:05.930]  We're not going to run pack again because...
[01:27:07.890 --> 01:27:09.190]  No.
[01:27:10.730 --> 01:27:17.530]  And we want analysis rule sorted.
[01:27:58.360 --> 01:28:00.940]  I would laugh if this got nothing.
[01:28:02.700 --> 01:28:05.680]  I think it did it.
[01:28:09.780 --> 01:28:11.520]  2787, yeah.
[01:28:15.940 --> 01:28:17.860]  Good work, Manga, you got nothing.
[01:29:05.540 --> 01:29:06.420]  I don't know.
[01:29:06.420 --> 01:29:10.040]  It's only one word, why would it have queued?
[01:29:10.040 --> 01:29:11.920]  Maybe because it split the workload?
[01:29:20.340 --> 01:29:21.720]  No, there's an R.
[01:29:22.920 --> 01:29:24.020]  Oh, wait.
[01:29:33.520 --> 01:29:34.640]  All right.
[01:30:00.700 --> 01:30:02.100]  Yeah, yeah, yeah.
[01:30:04.870 --> 01:30:06.310]  I missed an R.
[01:30:55.140 --> 01:30:56.300]  What was that?
[01:30:56.340 --> 01:30:58.760]  Two percent, roughly.
[01:31:03.600 --> 01:31:07.260]  2787 to 3074, almost three percent.
[01:31:11.370 --> 01:31:12.330]  Now, what if...
[01:31:16.220 --> 01:31:19.740]  I don't want to do the whole thing because that's going to take way too long.
[01:31:22.080 --> 01:31:45.640]  What if s-w-o-r-d...
[01:31:49.050 --> 01:31:50.650]  We'll do two to start.
[01:31:50.650 --> 01:31:52.050]  No, we'll do one to start.
[01:31:57.850 --> 01:31:59.230]  Forgetting all kinds of stuff.
[01:31:59.610 --> 01:32:39.710]  I probably should have done this as increment because these startup times are
[01:32:40.350 --> 01:32:42.170]  getting a bit ridiculous.
[01:33:05.970 --> 01:33:07.630]  Word pass.
[01:33:10.230 --> 01:33:12.310]  No one will ever guess.
[01:34:27.300 --> 01:34:28.620]  Oh, we're getting faster.
[01:34:28.620 --> 01:34:33.800]  We're up to 500 million, almost 500 million.
[01:35:12.460 --> 01:35:15.080]  Yeah, drosap, drosap's always a good one.
[01:40:21.720 --> 01:40:24.040]  I mean, that did pretty good.
[01:40:29.280 --> 01:40:30.080]  Nope.
[01:40:30.080 --> 01:40:33.920]  So that doesn't matter because we already specified it here.
[01:40:48.260 --> 01:40:51.100]  Let's run it out a few more characters and see what it gets.
[01:41:05.760 --> 01:41:10.880]  Something that would have been smart is if we did the lowercase o, the uppercase o,
[01:41:10.880 --> 01:41:12.080]  and then a zero.
[01:41:12.460 --> 01:41:16.640]  And then for i, we do lower i, upper i, and a one.
[01:41:19.660 --> 01:41:21.220]  Run that file.
[01:41:21.680 --> 01:41:23.680]  Yeah, I did that.
[01:41:24.680 --> 01:41:28.860]  We ran the top 100 pathway masks.
[01:41:46.660 --> 01:41:48.000]  Yeah, yeah, yeah.
[01:41:48.000 --> 01:41:49.440]  I'm not doing that.
[01:41:49.440 --> 01:41:51.140]  Dude, on a Tesla?
[01:41:52.720 --> 01:41:53.600]  No.
[01:42:24.500 --> 01:42:27.440]  All right, after this one, we'll run it.
[01:42:28.640 --> 01:42:29.860]  That's going to take 10 minutes.
[01:42:29.860 --> 01:42:30.920]  I don't want to do that.
[01:42:31.900 --> 01:42:39.820]  If you're over there analyzing what the fastest thing you can run to crack as much as you can,
[01:42:39.820 --> 01:42:41.380]  be disappointed.
[01:42:41.780 --> 01:42:43.000]  So what do we have?
[01:42:43.000 --> 01:42:52.660]  So we have A3 incrementing from a minimum of 8 with a runtime of 17 seconds.
[01:42:52.660 --> 01:42:58.380]  We have 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11.
[01:42:58.380 --> 01:42:59.200]  Okay.
[01:43:03.760 --> 01:43:05.340]  Oh, this changed.
[01:43:18.420 --> 01:43:21.340]  Yeah, increment min.
[01:44:44.500 --> 01:44:48.660]  Yeah, the tools haven't been updated in a while though.
[01:45:12.860 --> 01:45:15.020]  I don't know, I mean, there comes a point where,
[01:45:16.680 --> 01:45:20.800]  you know, you get used to or you've already generated the things that you need to generate,
[01:45:20.800 --> 01:45:24.260]  and you've already found other ways of doing something that you don't need to
[01:45:24.520 --> 01:45:26.780]  pull the tools back into it.
[01:45:28.680 --> 01:45:31.280]  Yeah, no, I still pwmin.
[01:45:40.780 --> 01:45:44.800]  I mean, hell, I didn't even catch it when you typed it and typed it myself, so, you know.
[01:46:31.470 --> 01:46:36.790]  It's not cheating that much because we're still running the attacks.
[01:46:36.790 --> 01:46:38.090]  Yeah, yeah, I know.
[01:46:39.010 --> 01:46:40.750]  But there's a very big difference between,
[01:46:40.750 --> 01:46:45.930]  let's use the rules generated from RockYou against RockYou versus hcstat.
[01:46:51.400 --> 01:46:52.780]  Because you still have to base...
[01:46:52.780 --> 01:46:55.440]  You still have to get your baseline in before you do that.
[01:46:55.660 --> 01:46:56.720]  It is cheating.
[01:47:00.370 --> 01:47:01.770]  That's why we regenerated...
[01:47:03.430 --> 01:47:05.470]  We regenerated the rule set down here.
[01:47:13.280 --> 01:47:15.140]  Yeah, yeah.
[01:47:27.620 --> 01:47:28.980]  Oh, no, no, no, no.
[01:47:32.470 --> 01:47:37.610]  But I'm done in about 30 seconds anyway because it's 11 o'clock and
[01:47:40.580 --> 01:47:42.480]  I want to take a break from sitting here.
[01:48:18.980 --> 01:48:26.620]  All right, so we did 4.4 million plus...
[01:48:38.030 --> 01:48:39.830]  Math is hard.
[01:48:39.970 --> 01:48:45.010]  One, four, three, four, four, three, nine, one, minus...
[01:48:50.270 --> 01:48:55.390]  One, one, nine, two, five, two, five, four, seven, two.
[01:49:03.550 --> 01:49:08.730]  So, four, that's 5.8 million.
[01:49:09.250 --> 01:49:12.950]  So we did just under 50% in an hour and 40 minutes.
[01:49:14.090 --> 01:49:15.590]  It's pretty good.
[01:49:20.990 --> 01:49:22.410]  So I'm gonna blow this box away.
[01:49:22.410 --> 01:49:23.410]  That was fun.
[01:49:24.870 --> 01:49:28.010]  Maybe tomorrow we can do something similar.
[01:49:28.010 --> 01:49:28.750]  I'll save the...
[01:49:28.750 --> 01:49:30.950]  I'll save the cracks, but we'll see.
[01:49:30.950 --> 01:49:32.490]  Saturday night's gonna be crazy.
[01:49:32.610 --> 01:49:33.630]  Anyway, that's it for now.
[01:49:33.630 --> 01:49:34.210]  Thanks, guys.
